Site-to-site outbound firewall best practices?

SOLVED
dalmiroy2k
Getting noticed

Site-to-site outbound firewall best practices?

Hi guys, I currently running a Hub-and-spoke topology and I only need remote endpoints to reach both a local DNS and an HTTPS internal web page in the HQ subnet.

So far I have enabled those subnets and ports and a implicit deny all at the bottom (on top of the implicit allow all).

My objective is reduce malware propagation and threats originated internally through the VPN (Ports scans, DDoS). Both Endpoints and HQ have Advanced licence with IDS set @  Prevention / Security

I was wondering what are you Site-to-site outbound firewall best practices? Any other tip to control and secure VPN usage?

 

dalmiroy2k_0-1576768021877.png

 

Thanks!

1 ACCEPTED SOLUTION
BrechtSchamp
Kind of a big deal

Seems to me that by doing this you'll be blocking all port scans through VPN. Simply because only requests to the ports you defined will be allowed. A DDoS to the HTTPS or DNS servers would still be possible, but then someone would need to launch a coordinated attack with multiple infected clients in your remote networks. To mitigate that I'd recommend to deploy an endpoint security solution.

 

I noticed that you're allowing traffic to whole /24 subnets though. Is that necessary? Why not just the /32 of the specific  server(s)?

View solution in original post

2 REPLIES 2
BrechtSchamp
Kind of a big deal

Seems to me that by doing this you'll be blocking all port scans through VPN. Simply because only requests to the ports you defined will be allowed. A DDoS to the HTTPS or DNS servers would still be possible, but then someone would need to launch a coordinated attack with multiple infected clients in your remote networks. To mitigate that I'd recommend to deploy an endpoint security solution.

 

I noticed that you're allowing traffic to whole /24 subnets though. Is that necessary? Why not just the /32 of the specific  server(s)?

Great point BrechtSchamp. /24 subnets were allowed during initial setup but I should setup the servers addresses only.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels